On Fri, 2022-09-09 at 11:07 +1000, NeilBrown wrote:
> On Fri, 09 Sep 2022, NeilBrown wrote:
> > On Fri, 09 Sep 2022, Trond Myklebust wrote:
> >
> > >
> > > IOW: the minimal condition needs to be that for all cases below,
> > > the
> > > application reads 'state B' as having occurred if any data was
> > > committed to disk before the crash.
> > >
> > > Application Filesystem
> > > =========== =========
> > > read change attr <- 'state A'
> > > read data <- 'state A'
> > > write data -> 'state B'
> > > <crash>+<reboot>
> > > read change attr <- 'state B'
> >
> > The important thing here is to not see 'state A'. Seeing 'state C'
> > should be acceptable. Worst case we could merge in wall-clock time
> > of
> > system boot, but the filesystem should be able to be more helpful
> > than
> > that.
> >
>
> Actually, without the crash+reboot it would still be acceptable to
> see
> "state A" at the end there - but preferably not for long.
> From the NFS perspective, the changeid needs to update by the time of
> a
> close or unlock (so it is visible to open or lock), but before that
> it
> is just best-effort.
Nope. That will inevitably lead to data corruption, since the
application might decide to use the data from state A instead of
revalidating it.
--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
[email protected]